AGENTS.md: rails Architectural Context & Engagement Rules

1. Information Flow & Purpose (The Executive Summary)

You are operating within the rails repository, the core codebase for the Ruby on Rails web-application framework. The architecture is primarily composed of Ruby (47.7%) and Markdown documentation (29.9%), with a supporting layer of JavaScript (10.4%) for frontend components like ActionCable and ActiveStorage. * Architectural Paradigm: The system maps to a "Cluster 4" macro-species and exhibits a high Architectural Drift Z-Score of 5.731. The network topology demonstrates high Modularity (0.6856) but negative Assortativity (-0.5848). This signifies a framework composed of cleanly segregated micro-boundaries (e.g., ActiveRecord, ActionMailbox, ActionCable) that nonetheless rely heavily on fragile, highly centralized single-points-of-failure for testing, configuration, and release orchestration. * Information Flow: Information and execution flow is driven heavily by discrete modular engines (Railties) and orchestrated at the macro level by Rakefiles and code generators. Input enters via controllers or websocket boundaries (ActionCable), is processed through framework-specific handlers (ActionText, ActiveStorage), and interfaces with the underlying storage layer (ActiveRecord). * Core Rule: Maintain strict adherence to the modular engine architecture. Do NOT tightly couple discrete domains (e.g., ActionMailbox and ActiveStorage) directly; rely on Railties and abstract interfaces. When modifying core utilities, respect the extensive backward-compatibility requirements of the framework.

2. Notable Structures & Architecture

• Foundational Load-Bearers: Tooling components like tools/releaser/test/test_helper.rb and tools/releaser/lib/releaser.rb act as foundational pillars for the CI/CD and release ecosystem, carrying high inbound connections.
• Fragile Orchestrators: The framework relies heavily on scripts and generators to orchestrate behavior. guides/rails_guides/generator.rb (11 outbound dependencies) and various Rakefiles (e.g., in activerecord and railties) pull in vast dependency trees to manage builds and tests, making them highly coupled and fragile to environmental changes.
• Algorithmic Complexity: The ActionMailbox ingress controllers (mandrill/inbound_emails_controller.rb, mailgun/...) and ActionText content helpers exhibit O(2^N) static analysis complexity. These represent dense, recursive data parsing paths that must carefully manage memory allocation when handling large inbound text or MIME payloads.

3. Security & Vulnerabilities

Status: SECURE PERIMETER (WITH INJECTION CAVEATS). Structural Threat Intelligence audits have flagged 0 malicious artifacts.

CRITICAL WARNINGS: 1. Weaponizable Injection Vectors: The actioncable/Rakefile and tools/cve_announcement.rb exhibit 100% Weaponizable Injection Exposure. Because these scripts likely process environment variables, CLI arguments, or network data to generate releases or announcements, you MUST ensure strict sanitization to prevent arbitrary command injection. 2. Exploit Generation Surface: ActionMailbox and ActiveStorage parse untrusted, user-provided files and email payloads. While the core is secure, ensure any modifications to these controllers (e.g., activestorage/app/models/active_storage/blob.rb) strictly enforce MIME type validation and bounds checking to prevent server-side request forgery (SSRF) or arbitrary file overwrites. 3. Supply Chain: There are 21 unknown dependencies bypassing the Zero-Trust whitelist, typical for a large monorepo with multiple sub-gems. Do not add or bump external packages in gemspecs without explicit architectural review.

4. Outliers & Extremes

• The Hotspot Matrix (Volatility + Risk): Core components such as actiontext/app/models/action_text/rich_text.rb (59.2% Churn) and railties/Rakefile (56.0% Churn) are highly volatile. They represent constant iteration on rich text handling and framework bootstrapping, making them high-friction areas for developers.
• Key Person Silos: Severe "Bus Factor" risks exist around specific domain implementations. For example, actionmailbox/app/controllers/action_mailbox/ingresses/mailgun/inbound_emails_controller.rb is 100% isolated to David Heinemeier Hansson, while the guides generator (guides/rails_guides/generator.rb) is 100% isolated to Harsh Deep.
• Blind Bottlenecks: tools/releaser/lib/releaser.rb is a massive "God Node" with a Severity rating of 2360.4. It controls the release process but lacks human intent, documentation, or ownership metadata (100% Doc Risk), meaning maintainers modifying the release pipeline are flying blind.
• Design Slop: Files such as actioncable/app/javascript/action_cable/subscriptions.js contain orphaned functions. These usually represent public API surfaces intended for downstream consumers rather than dead internal code; do not prune them autonomously.

5. Recommended Next Steps (Refactoring for Stability)

To stabilize the architecture and reduce cognitive load for ongoing maintenance, prioritize the following pragmatic actions:

1. Document the Releaser Blind Bottleneck: Address the 100% documentation risk in tools/releaser/lib/releaser.rb. Adding comprehensive YARD documentation detailing the release phases and environmental prerequisites will significantly reduce the risk of catastrophic deployment failures.
2. Mitigate ActionMailbox Silos: Distribute domain knowledge regarding the ActionMailbox ingress controllers (Mailgun, Mandrill) to reduce the reliance on single contributors. Ensuring multiple maintainers understand the MIME parsing logic will improve security auditing.
3. Refactor Volatile Rakefiles: railties/Rakefile and actioncable/Rakefile suffer from high churn, high tech debt, and injection risks. Decompose these monolithic Rakefiles by moving complex build or test orchestration logic into dedicated, testable Ruby classes within a lib/tasks/ or tools/ directory.